Achieving PCI Level I and Securing the Data Participants Leave Behind
September 12, 2012 § Leave a comment
I recently ran a rugged 12 miles course in Cascade, WI filled with obstacles, shock treatment, icy waters and tons of laughs. After the weekend came to a close, besides the memories and bruises very little was left behind – or was there?
As a frequent event participant and SignMeUp Vice President of Payments, I carefully consider how merchants accept and store my sensitive information. If you offer online event registration, you too must be concerned about how your registrant data is protected. Speaking from experience, having a credit card or social security number compromised takes an average of 80-120 hours of effort to rectify. As information sharing across various marketing channels is now commonplace, securing online data has become all the more critical. At the same time, the requirements involved with protecting the most valuable elements have become more complex.
Until recent years, the process of securing credit card transaction data was left up to the merchant, software provider and third party company. With massive data security breaches at well-known brands such as TJ Maxx, Wyndham Hotels, and Bank of America, improvement in and standardization of the card data security process clearly became necessary. The days of throwing customer receipts in a drawer, writing on the back of napkins, or emailing card data after playing a game of Angry Birds was no longer appropriate. As a result, Visa and MasterCard developed security criteria now called Payment Card Industry (PCI) standards. Companies such as American Express, Discover, JCB and others also commented and drove the requirements to be able to store, transmit and touch sensitive data.
Before your eyes glaze over, know that PCI plays an important role in ensuring that merchants make an effort to protect card and customer data. With 12 core requirements and approximately 245 controls in place, PCI creates the uniformity businesses and software providers require. In addition, an accreditation process was established to ensure those that need to become PCI compliant do so according to the rules. Lastly, because of the rising cost to consumers and card issuers (banks) for replacing cards and lost revenue, the PCI Council has implemented severe fines of between $90 – $250 per record stolen for those merchants that are not PCI compliant and are breached. These fines can be a death blow to small businesses, let alone the brand damage, customer lawsuits and lost revenue because of resource allocation.
SignMeUp has achieved the highest level of PCI compliance (Level I) based on our adherence to the regulations and transaction levels. Reaching Level I is a rigorous and meticulous process, and requires an audit by a specialized third party company. You can be confident that your online registrant data is secure.